Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
Jump to navigation
Jump to search
m
→Whole-Population Audit of Intermediate Certs
m (→RFC 5280) |
|||
| Line 42: | Line 42: | ||
Auditing of root and intermediate certificates must include checking compliance with the BRs and with [http://tools.ietf.org/html/rfc5280 RFC 5280]. For example: | Auditing of root and intermediate certificates must include checking compliance with the BRs and with [http://tools.ietf.org/html/rfc5280 RFC 5280]. For example: | ||
* Intermediate certificates must be checked for duplicate serial numbers, which is forbidden by section 4.1.2.2 of RFC 5280. | * Intermediate certificates must be checked for duplicate serial numbers, which is forbidden by section 4.1.2.2 of RFC 5280. | ||
* Cryptographic algorithm and key sizes must meet BR Appendix A. | * Cryptographic algorithm and key sizes must meet BR Appendix A. (section 6.1.5 in BR version 1.3) | ||
* Certificate | * Certificate Extensions must comply with BR Appendix B.(section 7.1.2 in BR version 1.3) | ||
* Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. (sections 7.1.5 and 8 in BR version 1.3) | * Intermediate certificates must either be technically constrained or publicly disclosed and audited as described in [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ Mozilla's CA Certificate Inclusion Policy] and [https://cabforum.org/baseline-requirements-documents/ BR sections 9.7 and 17]. (sections 7.1.5 and 8 in BR version 1.3) | ||